Disabling SSL 3.0 Support on Your Server (POODLE Configuration)
Due to a critical security vulnerability with SSL 3.0 (an 18-year-old, outdated technology), we recommend disabling it on your server. We have instructions on how to do that in the Updating section but recommend reading the entire document to understand the scope of what this does.
What does POODLE do?
In short, it's a way attackers can compromise SSL certificates if they're on the same network as the target if (and only if) the server the target is communicating with supports SSL 3.0.
Google has a lot more detail on their security blog here.
Does POODLE affect my server/sites?
Because POODLE is a vulnerability in SSL technology, it only impacts sites using SSL certificates. If your server or your sites don't use an SSL certificate, you don't need to update your server. However, we recommend doing it now in case you do end up installing an SSL certificate at a later date.
How you update your server depends on whether your server uses a Linux® distribution or Windows® and if it uses cPanel.
cPanel requires slightly different steps from any other control panel/operating system configuration.
To Configure cPanel to Prevent POODLE Vulnerability on HTTP
- Log in to WHM (more info).
- In the Service Configuration section, click Apache Configuration.
- Click Include Editor.
- In the Pre Main Include section, from the Select an Apache Version menu, select All Versions.
- In the field that displays, type the following, depending on which version of CentOS you're using:
CentOS Version Type this... Cent OS/RHEL 6.xSSLHonorCipherOrder On
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
Cent OS/RHEL 5.xSSLHonorCipherOrder On
SSLProtocol -All +TLSv1
If you encounter errors while applying this update, please review this forum post at cPanel that discusses potential fixes.
- Click Update.
Preventing POODLE on Other Protocols (FTP, etc.)
Right now, only servers using RHEL can protect themselves against POODLE on non-HTTPS protocols. They can do this by updating the latest version of OpenSSL, and then implementing TLS_FALLBACK_SCSV.
Servers using CentOS do not yet have a known fix for the vulnerability on non-HTTPS protocols. However, we will update this article with those instructions as soon as we do.
Modify your Apache configuration to include the following line:
For more information on how to do that, view Apache's documentation.
Modify your server's registry (which removes access SSL 3.0 support from IIS) using Microsoft's document here. You can jump down to the Disable SSL 3.0 in Windows section.